Security certificates ‘the next big market’ for cybercrime

Phil Taylor, 01-Nov-2017

There is a thriving trade in code-signing certificates on the dark web that can allow criminals to hack into and modify software, says a new report.

These digital security certificates – used to control who can access and modify a programme’s code – are changing hands for up to $1,200 on illicit dark web sites, more than counterfeit US passports, stolen credit cards and illegal handguns, it says.

Their value comes from the opportunity for cybercriminals to break into systems and install malware, break into encrypted information and clone or ‘spoof’ trusted websites, according to the report, which is based on a six-month research effort conducted by the UK-based Cyber Security Research Institute (CSRI) and security consultancy Venafi.

Earlier surveys by Venafi have shown that 86 per cent of chief information officers say that the sale of cryptographic keys and digital certificates is the next big market for cybercriminals.

It’s a problem that is only likely to get bigger, given recent dramatic increases in the use of these security measures, and an almost exponential rise in the number of connected devices that need keys and certificates.

“We’ve known for a number of years that cyber criminals actively seek code signing certificates to distribute malware through computers,” said Peter Warren, chairman of the CSRI.

“The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates.”

While it proved difficult to uncover, Venafi chief security strategist Kevin Bocek said it is likely that the trade in code-signing certificates is the visible tip of a large iceberg that could lie on top of illicit trade involving keys and certificates other cryptographic security measures such as transport layer security (TLS), virtual private networks (VPN) and secure shell (SSH).

“With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. Any cybercriminal can use them to make malware, ransomware, and even kinetic attacks trusted and effective,” said Warren.

“In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants.”